Test Case: Memory Checker

The Sigfree Memory analyzer uses Sigfree technology to extract ALL executable instruction sequences from memory blocks. The disassembled sequences are outputted, as denoted in the following figure.

To assist users to locate the interested sequences, the memory analyzer also outputs some characteristics of each sequence, such as the number of useful instructions, the number of function calls, etc. (please see SigFree API)

There are several main differences between using Sigfree for memory analysis and using Sigfree as a packet analyzer:

• The sigfree packet analyzer is designed to detect shellcodes communicated in networks (such as malicious http requests or responses), the memory analyzer is designed to extract all executable sequences in memory blocks.
• The main purpose of packet analysis is to determine whether there is executable code (shellcodes) in packets or not, but the purpose of the memory analyzer is to extract all possible executable sequences in a memory block, the sequences may be from malicious viruses or from normal applications.
• The packet analyzer was designed from the beginning for high throughput and processing speed, while initially, the memory analyzer was designed to assist the analysis of memory blocks thoroughly and completely, where speed was not the most important element.

Sometimes, the outputted sequences are too many to use. Users may specify filter rules so that only a small fraction of the sequences that are of interest to the users are shown. Example filter rules include useful instructions in the sequence, useful instruction ratio in the sequence, function call count found in the sequence, function count in the sequence, GetPC count in the sequence, etc.

The evaluation dataset included 753 memory snapshots: 329 of them contain at least one occurrence of “push ebp, mov ebp, esp” and are considered executable, and the other 424 are non-executable.

Without filtering initially, the result is 12 false negatives and 31 false positives. Filtering false positive sequences is easy, because the maximum ratio of useful instructions of false positives are below 60% in most cases, while the ratio of truly executable sequences are above 80% in most cases. If we set the useful ratio to 60% in the filter rule shown above, we have only one false positive, gnome-panel/data2(rw). And the filter rule has no effect on the false negatives.

It needs to be noted that if users want to analyze polymorphic or metamorphic viruses, the useful ratio filter rule should not be set too large, because the virus may use some useless instructions to fool signature based filters. An example is Net-Worm.Win32.CodeRed.a. The useful ratio of executable sequence is only 70%~75%. An extreme case is Rootkit.Win32.Spb.a. There are a lot of useless instruction in the sequences, and the useful ratio of executable sequences is only around 30%.

The 12 false negatives file all contain incomplete and very short instruction sequences.

For example, screen-saver/ libplc4(rx) only contains the following sequences, and is not typical of malicious code.

push $ebp

mov $ebp,$esp

call 000010B0

call 00001140

call 00002760

leave

retn

This Test Case displays an interesting contrast between packet analysis and memory block analysis, using the SigFree DLL. In packet analysis, normal packets containing data and malicious code is a very small percentage of the total. For packet analysis, almost any executable code is suspect and the analysis is highly deterministic. For memory block analysis, executable code is typical, depending on the blocks being analyzed and, in developing your programs using the SigFree SDK, it pays to spend time developing heuristics for your particular environment.